INDEX

1-tuple

16-bit architecture

1970 (end of time timestamp)

[??]

a priori trust,

abbreviation, of transit path

absolute expiration time

abstract syntax notation

abstracting

academic discipline

accepting weak keys

access

  • Access Control Lists (ACLs)
  • ACL Managers
  • Access Control List API
  • Glossary

    Access Control

    access control decision

    access control list (ACL),

    Access Control, Attributes with Triggers

    Access Control, for Attribute Types

    access determination algorithm

    access request, input to CADA

    access semantics, of permissions

    access,

    access, matrix

    accessor

    account

    account domain

    account information, conceptual part of login context

    account name, equals login name

    account, creator

    account, data (data type)

    account, entry in RS datastore

    account, exactly one key

    account, expiration

    account, flag

    account, information, administration-level

    account, lifetime

    account, local-ID (data type)

    account, name of

    account, unambiguous reference

    account, user-level information

    account, UUID (data type)

    accounts

    accuracy

    accuracy, of time source

    ACL

  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • Glossary

    ACL editor,

    ACL manager API, future work

    ACL manager type UUID

    ACL manager type UUID, input to CADA

    ACL manager,

    ACL manager, ACLE types supported

    ACL manager, common

    ACL manager, multiple

    ACL manager, permission

    ACL manager, POSIX support

    ACL manager, type UUID

    ACL manager, types supported by RS

    ACL Permissions, Generic

    ACL type, not all need be supported

    ACL,

    ACL, common

    ACL, data type

    ACL, default creation

    ACL, Editor

    ACL, entry (ACLE) (data type)

    ACL, Extensions

    ACL, for xattrschema Object

    ACL, identity of

    ACL, initial

    ACL, initial container

    ACL, initial object

    ACL, multiple

    ACL, not supported in name-based

    ACL, physical separation from referent

    ACL, pointer to

    ACL, protection/object

    ACL, semantics interpreted by manager

    ACL, type

    ACL, type (data type)

    ACL, unauthenticated entry

    ACLE

    ACLE,

    ACLE, data type

    ACLE, extended information

    ACLE, permission set

    ACLEs

    ACLs

  • ACL Editor RPC Interface

    acting as a delegate

    action

    active aspect

    active bits of DES vector

    additional

    address

    addresses

    adequacy of security, evaluating

    administer permission

    administration-level information

    administrative flag

    administrative interface

    administrator

    algorithm

  • Encryption/Decryption Mechanisms
  • Key Distribution (Authentication) Services
  • ACL Managers
  • Glossary

    algorithm, access determination

    algorithm, basic DES

    algorithm, CADA

    algorithm, CBC mode

    algorithm, common access determination

    algorithm, generate RA header

    algorithm, generation of AS response

    Algorithm, intercell_action

    algorithm, KDS Error processing

    algorithm, next-hop

    algorithm, prepare authentication header

    algorithm, processing privilege authentication/RA

    algorithm, TGS request/response

    algorithm, trusted

    Algorithm, use_defaults

    algorithms

    alias

    alias, feature of principal domain

    alias, in principal domain

    allowable

    alter_context

    alter_context PDU

    alter_context_response

    alter_context_response PDU

    alternate algorithm, in future version

    alternative approach

    ambiguity, of partially qualified string

    ambiguity, syntactic, of PGO name

    AND,

    annotating a binding handle

    anonymous

    Anonymous Identity

    Anonymous Identity, data type

    Anonymous, Cell UUID

    anonymous, client

    Anonymous, Group UUID

    Anonymous, Principal UUID

    Anonymous, Version 1 UUID

    ANSI X3.106

    ANSI X3.92

    ANY_OTHER

    ANY_OTHER, algorithm

    ANY_OTHER, at most one

    ANY_OTHER, supported by common ACL manager

    ANY_OTHER_DEL

    ANY_OTHER_DEL, algorithm

    ANY_OTHER_DELEG

    API

    append

    appendix

    AppleTalk, registered address type

    application

    application, correctly written

    architecture

    arithmetic

    arithmetic, modular

    arithmetic, on timestamps

    array, of pointers to ACL

    AS

    AS request

    AS request, client sends

    AS request/response

    AS response

    AS,

    AS, receipt of request

    AS, request/response processing

    AS, response (data type)

    AS, response received by client

    ASCII

    ASN.1

    aspect, active/passive

    asserted

    asserted PAC,

    asserted, status of PAC

    assertion

    associated

    assurance, of correctly-written applications

    assured

    assured service,

    asymmetric trust peers

    atomicity, in changes to ACL

    attack

    attr_schema, ACL manager permission

    attr_schema, ACL manager type UUID

    attr_schema, supported ACLE types

    attribute

  • Well-Known Attribute Types
  • Unknown Intercell Action Attribute
  • Privilege (Authorisation) Services
  • Glossary

    Attribute Encodings

    Attribute Permissions, Additional

    Attribute Schema,

    Attribute Schemas, Well-known

    Attribute Scope

    Attribute Sets

    Attribute Trigger Facility,

    Attribute Trigger,

    Attribute Triggers

    Attribute Type Flags,

    attribute,

    attribute, of user (data type)

    attribute, PAC, in RS information

    attribute, PGO item (data type)

    attribute, policy

    attribute, privilege

    attributee

    attributes

    Attributes, Additional Permissions

    Attributes, Privilege (for EPAC)

    Attributes, Well Known

    audience

    auditing, not in this version

    auth_value.assoc_uuid_crc

    auth_value.checksum

    auth_value.credentials

    authenticated, flag in PAC

    authentication

  • Authentication Headers
  • Authentication Header Flags
  • (Reverse-)Authentication Header Processing
  • Cross-Cell Authentication
  • Privilege (Authorisation) Services
  • DCE Security Replication and Propagation

    authentication data, checked by KDS server

    authentication data, data type

    authentication data, registered

    authentication flag,

    authentication header processing

    authentication header, data type

    authentication information permission

    authentication method, in RS information

    authentication policy, in registry property

    authentication service (AS),

    authentication service, registered

    authentication,

    authentication, and Kerberos

    authentication, client sends header

    authentication, cross-cell

    authentication, data

    authentication, flag

    authentication, header omitted

    authentication, mutual, at TGS request

    authentication, of TGS service, need for

    authentication, policy

    authentication, server receives header

    authentication, service not autonomous from KDS

    authentication, situations warranting

    authentication, time of

    authentication, to KDS server

    authentication, user-to-user

    authentication, verifier (PDU)

    authentication, vs. authorisation

    authenticator, available

    authenticator, data type

    authenticator, decrypted by KDS server

    authenticator, in Kerberos protocol

    authenticator, in service request

    authenticator, in TGS request

    authenticator, timestamp in

    authenticators

    authenticity

    authenticity,

    authenticity, protected by DES

    authenticity, protected by DES-MD4/5

    authnr-Cksum, usage in CL security

    authorisation

  • Key Distribution (Authentication) Services
  • Privilege (Authorisation) Services
  • PAC-Based Privilege Service (PS)
  • Data Types
  • Name-Based Authorisation
  • Glossary

    Authorisation Algorithm, for Delegation

    authorisation data, data type

    authorisation data, registered

    authorisation decision computation

    authorisation identity, data type

    authorisation service,

    authorisation service, registered

    authorisation,

    authorisation, cross-cell

    authorisation, foreign groupsets (data type)

    authorisation, in PTGS request

    authorisation, in RS information

    authorisation, local/foreign (data type)

    authorisation, name-based

    authorisation, name-based versus PAC-based

    authorisation, vs. authentication

    Authorisation-Vetting

    authority

    authority of authentication, conceptual part of login context

    authority,

    available, authenticator

    avoided

    avoided key

    base

    basic

    basic DES

    basic DES algorithm, details

    be

    belief

    belief,

    belonging to a cell

    BER

    between

    big-endian,

    big/big-endian encoding in pickle

    bilateral authentication

    bind

    bind PDU

    bind_ack

    bind_ack PDU

    binding

    binding handle

    binding handle, RPC

    binding, to ACL server

    bit representation, permission

    BIT STRING

    BIT STRING, denoting field element

    bit,

    bit, implementation of permission

    bit, parity, in DES key

    bit, unused

    bit-position, of permissions

    bit-reflection

    bit-sequence, mapping to integer

    Bit-Sequences

    bit-vector, implementation of permission

    bit-vector, pickle as

    Bit/Byte-Sequences

    bits

    bitset

    bitset, data type

    bitwise

    bitwise boolean AND,

    bitwise boolean OR,

    bitwise boolean XOR,

    bitwise operation

    bitwise rotation

    block space

    block, DES

    block, encryption of partial

    bodies

    body bgcolor="#FFFFFF"

    body bgcolor="#FFFFFF", of KDS request (data type)

    body bgcolor="#FFFFFF", of PDU

    body bgcolor="#FFFFFF", of pickle

    body bgcolor="#FFFFFF", PDU

    bootstrap, use of sec_login API after

    bootstrapping trust

    bounds on ID numbers, in registry property

    buffer

    built-in integrity

    by

    byte,

    byte, interpretation as integer

    byte-sequence, mapping to integer

    Byte-Sequences

    byte-vector, pickle as

    bytes

    C language, pseudocode resembling

    cache, in RS information

    cache, maintenance

    caching

    CADA

    CADA,

    CADA, not supported in name-based

    CADA, subalgorithm

    call

    case sensitivity

    CBC

    CBC mode algorithm

    CBC mode of DES

    CCITT X.208

    CCITT X.209

    CCITT X.509

    CCITT-32

    CCITT-32,

    CDS directory service, use in RPC binding

    CDS naming syntax

    CDS-supported namespace

    cell

  • Privilege (Authorisation) Services
  • DCE Security Replication and Propagation
  • Glossary

    cell name, data type

    cell name, in registry property

    cell name, in RS information

    cell principal,

    cell UUID,

    cell,

    cell, checked by KDS server

    cell-profile

    cell-wide information

    Cells-Cross-cell

    certificate

    certificate, privilege attribute,

    certificates

    certification

    certification,

    certification, and scd_protected_noop()

    certification, basis of login validation

    certify

    certify login context

    certify,

    chain

    chain, trust,

    chaining

    chaining properties

    chaining property, satisfied by twisted CRC

    chains

    challenge

    change

    change password

    change permission

    change, date/time

    CHAOSnet, registered address type

    chapter

    character set, portable

    character, restrict choice of

    checksum

  • Encryption/Decryption Mechanisms
  • Key Distribution (Authentication) Services

    checksum type, in RS information

    checksum,

    checksum, checked by KDS server

    checksum, data type

    checksum, DES-CBC

    checksum, in TGS request

    checksum, registered type

    checksum, type (data type)

    checksums

    checksumtext

    child object,

    child process, inheritance of login context

    choices

    chunks

    cipher

    cipher block chaining CBC

    cipher function

    ciphertext, operated on by DES

    circular shift

    CL

    CL, integrity and confidentiality

    CL, security

    CL, verifier

    claimed identity

    class, of protected objects

    client

    client cell, in TGS response

    client name, in TGS response

    client name, versus CDS-registered service name

    client receives RA header

    client sends AS request

    client, anonymous

    client, in CL context

    client, in KDS Error message

    client, in transit path

    client, named

    client, named, in privilege ticket

    client, nominated

    client, receives AS response

    client, receives PTGS response

    client, receives RA header

    client, receives TGS response

    client, sends authentication header

    client, sends PA header

    client, sends PTGS request

    client, sends TGS request

    client-side access information

    client-side security context

    climate of opinion

    clock

    clock skew

    clock skew, in RS information

    clock, synchronisation

    CO

    CO integrity and confidentiality

    CO, security

    CO, verifier

    code

    codebook

    codes

    Codes/Text/Data

    coefficient, and endianness

    collision of ACLE

    collision resistance, of MD4

    collision resistance, of MD5

    collision, resistance of MD4, MD5

    collision-resistance

    combination permission, bit position

    combinations of ACLs

    combined

    comma, metacharacter in transit path

    common

  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface

    common access determination algorithm (CADA)

    common access determination algorithm,

    common access determination algorithm, CADA

    common ACL

    common ACL manager,

    common helpstring

    common permission

    common permission, bit position

    common printstring

    communication via RPC

    communication, of twisted CRC

    communication, start of protection

    compatibility

    complete

    complex permission, bit position

    complexity

    component, mapping from PGO name

    components

    composition

    composition law of CRC

    composition laws

    compress

    compressed, transit path

    compression, of transit path

    compromised

    compromises of timestamp security

    computation, authorisation decision

    computational complexity

    computing

    computing entity,

    concatenation

    concepts

    concurrent group set

    condition, on ACL

    confidence

    confidentiality

    confidentiality,

    confidentiality, CL

    confidentiality, CO

    confidentiality, protected by DES

    confidentiality, protected by DES, not MD4/5

    confounder

    conjunction,

    connection-oriented, security

    connection-oriented, verifier

    connectionless, security

    connectionless, verifier

    constants

    constructed form

    consuming the transit path

    container

    container object,

    containment of damage

    contents

    context

    context, at process start-up

    context, login

    context, of security-version UUID

    context, set for process at login

    control

    control access, using ACLs

    control permission

    controls

    conv_who_are_you_auth()

    convention, for encrypting partial blocks

    conventions

    conventions,

    conversation

    conversation key,

    conversation key, checked by KDS server

    conversation key, in CL security

    conversation key, in TGS request

    conversation key, negotiation

    conversation manager, CL

    coordination, inter-cell

    corrigenda

    cost, of changing password

    cost, of security checking

    costs

    counterfeit KDS

    counterfeit login, certification and

    counterfeit server

    cracking a cryptosystem

    CRC

    CRC, composition law

    CRC, registered

    CRC, twisted

    CRC-32

    crc_assoc_uuid

    CRCs

    creating

    creator of account

    credential

    credential,

    credential, CL

    credential, CO

    credential, issuing

    credentials

    cross-cell

    cross-cell authentication

    cross-cell authentication,

    cross-cell authorisation

    cross-cell coordination

    cross-cell referral

    cross-cell registration

    cross-cell security, poor in name-based

    cross-cell, complete scenario

    cross-registration

    cross-registration, global

    cryptanalysis,

    cryptographic checksum

    cryptographic key, data type

    cryptographic key, management

    cryptographic key, version number

    cryptography

    cryptography,

    cryptography, trusted algorithm/protocol

    cryptology

    cryptology,

    cryptovariable,

    current

    current login context

    current login context, at process start-up

    current long-term key

    cursor

    cursor, current position

    Cursor, for Delegate Iteration

    Cursor, for Extended Attributee Iteration

    cursor, in RS datastore

    cursor, meaningless across RS servers

    cursor, wrap-around

    cyclic

    cyclic redundancy checksum

    daemon

    daemon,

    daemon, inherited login context

    daemon, security-client

    damage containment

    data

  • Privilege (Authorisation) Services
  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Access Control List API
  • Registry API
  • ID Map API
  • Key Management API
  • Login API
  • Glossary

    data encryption standard (DES),

    data encryption standard,

    data repository (registry)

    data representation

    data type, ACL

    data type, ACL manager

    data type, Anonymous Identity

    data type, applicability to PS

    data type, authorisation identity

    data type, compatibility modes

    data type, Cursor (Delegate Iteration)

    data type, Cursor (Extended Attributee Iteration)

    data type, delegate restriction entry types

    data type, delegate restriction types

    data type, delegation compatibility modes

    data type, delegation restrictions

    data type, Delegation Token

    data type, Delegation Token Set

    data type, EPAC Seal

    data type, extended PAC (EPAC)

    data type, for EPAC Data

    data type, foreign groupset identity

    data type, foreign identity

    data type, Handle (attribute data)

    data type, in RS information

    data type, Kerberos

    data type, List of Seals

    data type, optional restrictions

    data type, PAC

    data type, PAC (Extended)

    data type, PAC format

    data type, Privilege Attributes

    data type, privilege authentication header

    data type, privilege RA header

    data type, privilege-ticket

    data type, PTGS request

    data type, required restrictions

    data type, restrictions

    data type, rpriv ps_app_tkt_result

    data type, rpriv ps_attr_request

    data type, rpriv ps_attr_result

    data type, rpriv ps_message

    data type, Set of PACs (Extended)

    data type, storable as pickle

    data type, Supported Delegation Types

    data type, Supported Seal Types

    data type, target restriction entry types

    data type, target restriction types

    data type, target restrictions

    data type, Version 0 Token Flags

    data versus metadata

    data, account (data type)

    data, encrypted (data type)

    Data, Extended PAC (EPAC)

    data, pre-authentication

    database

    datastore

    datastore query, result

    datastore, in RS

    datastore, lookup by local ID

    datastore, lookup by UUID

    datastore, quota

    datastream

    date, creation of account

    dbyte

    DCE

    DCE Delegation Model,

    DCE X.500 name type

    dce-ptgt

    dce-ptgt, reserved account

    dce-ptgt, reserved name

    dce-rgy

    dce-rgy, reserved account

    dce-rgy, reserved name

    dce_c_authn_level_integrity

    dce_c_authn_level_integrity, CL

    dce_c_authn_level_pkt

    dce_c_authn_level_pkt, CL

    dce_c_authn_level_pkt, CO

    dce_c_authn_level_pkt_integrity

    dce_c_authn_level_pkt_integrity, CO

    dce_c_authn_level_pkt_privacy

    dce_c_authn_level_pkt_privacy, CO

    dce_c_authn_level_privacy

    dce_c_authn_level_privacy, CL

    dce_c_cn_sub_type_des

    dce_c_cn_sub_type_md5

    DEA,

    decipher

    DECnet Phase IV, registered address type

    decode,

    decode/decrypt

    decrypt,

    decrypt, RA header

    decryption

    decryption, by KDS server

    decryption, CBC

    decryption, DES

    decryption, in received AS response

    decryption, in TGS response

    decryption, notation

    decryption, unsuccessful

    decryption, via DES

    default cell UUID

    default cell, ACLEs that refer to

    default creation ACL,

    definite form

    definitive identifier

    degree, of polynomial defining CRC

    delay, reflected in skew

    delegate

    delegate, ACLEs

    delegation

  • Components of Delegation Model
  • Enabling and Disabling Delegation
  • Delegation Controls
  • Delegation Tokens
  • Privilege (Authorisation) Services
  • Login API
  • Glossary

    delegation compatibility modes, data type

    Delegation Components - EPAC

    Delegation Controls

    delegation foreign ACLE type

    delegation local ACLE type

    Delegation Model - Components,

    Delegation Model - overview

    Delegation Token

    Delegation Token, data type

    Delegation Token, in PTGT

    Delegation, Authorisation Algorithm

    delegation, in this version

    Delegation, Login Functions

    Delegation, Remote Interfaces

    Delegation-Related

    delete

    delete item permission

    delete permission

    deletion of key

    denial

    denial of service

    denial of service, based on client address

    denial of service, from expired key

    denying access

    DER

    derived

    DES

  • Glossary

    DES block

    DES key, data type

    DES,

    DES, decryption

    DES, no raw API

    DES, restriction by governments

    DES, usage to ensure integrity

    DES-CBC

    DES-CBC checksum,

    DES-CBC-CRC encryption

    des_key

    details

    determination

  • ACL Managers
  • Glossary

    development

    dictionary attack

    difference between tickets

    different cell, PTGS processing

    digest, MD4

    digest, MD4, MD5

    digest, MD5

    digests

    dir_seq

    direct

    directory services

    Directory Services, and RPC binding

    directory, ACL manager permission

    directory, ACL manager type

    directory, ACL manager type UUID

    directory, supported ACLE types

    disable_time_interval

    disabling

    Disabling delegation

    disclosure, of ACLs unspecified

    discretionary policy

    discussion

    disjunction,

    display, of permission

    distinct principals

    distinct, integer (nonce)

    distinctness, of pgo-UUID

    distinguished encoding restriction

    distributed

    distributed environment

    distributed RPC

    distributed security,

    distributed time service (DTS),

    distributed, RPC service

    distribution

    DNS name type

    doctrine

    doctrine, Kerckhoffs'

    document

    domain

    domain,

    domain, account

    domain, and aliases

    domain, data type

    domain, group

    domain, naming

    domain, of ACL in model

    domain, organisation

    domain, principal

    dot notation

    double-UUID scheme

    DTS

    DTS,

    dummy operation

    duplicate cell names

    dynamic information, in ID map facility

    e

    earlier, in comparing timestamps

    editor

    Editor, ACL

    editor, ACL,

    editor, registry

    editor, registry (RS)

    editors

    egodicity of DES

    empty PAC

    empty string

    enabling

    Enabling delegation

    encipher

    encode

    encode,

    encode, BER

    encode, pickle

    encoding

    encoding service

    Encoding/Decoding

    encodings

    encrypt

    encrypt,

    encrypted

    encrypted data, data type

    encrypted part of ticket

    encrypted pickle, data type

    encryption

  • DCE Security Replication and Propagation
  • Glossary

    encryption key, data type

    encryption key, in RS information

    encryption key, registered

    encryption type, initialisation

    encryption type, registered

    encryption, CBC

    encryption, in AS response

    encryption, in TGS request

    encryption, MD4 is not

    encryption, MD5 is not

    encryption, notation

    encryption, of partial blocks

    encryption, of ticket

    encryption, trivial

    encryption, type (data type)

    encryption, via DES

    Encryption/Decryption

    end of time

    endianness

    endianness,

    endpoint map

    English, use in common ACL manager

    enhancement not precluded

    entity

    entity, active/passive aspect

    entries

    entry

    entry (ACLE), data type

    entry, ACL

    environment

    environment, distributed

    environment_set

    environmental

    Environmental Parameters,

    environments

    EPAC

  • Privilege (Authorisation) Services
  • EPAC Accessor Function (sec_cred) API
  • Glossary

    EPAC Seal, EPAC Seal

    EPAC sets

    EPAC sets, linked to tickets

    EPAC, Access Functions

    EPAC, input to CADA

    EPACs

    EPACs, Receiving

    EPACs, Transmitting

    epoch,

    equal principals

    ERA

    ERA,

    ERA, disable_time_interval

    ERA, environment_set

    ERA, login_set

    ERA, max_invalid_attempts

    ERA, minimum_password_cycle_time

    ERA, passwd_override

    ERA, password_generation

    ERA, passwords_per_cycle

    ERA, pre_auth_req

    ERA, pwd_mgmt_binding

    ERA, pwd_val_type

    ergodicity

    error

  • Privilege (Authorisation) Services
  • Error Code Mapping List

    error message, KDS

    error status code, data type

    error status code, registered

    error, KDS

    error, KDS (data type)

    error, order of reporting

    error, PS processing

    error, PS, no special data type

    error-detecting property

    error_status_ok, in kds_request

    errors

    escape metacharacter

    establish credential, CL

    establish credential, CO

    establishing identity

    establishment

    evaluate adequacy of security

    exclusive or,

    execute permission

    exotic combinations of ACLs

    expanded, transit path

    expansion

    expiration

    expiration time

    expiration, account

    expiration, checked by KDS server

    expiration, checking

    expiration, in RS information

    expiration, in TGS request

    expiration, in TGS response

    expiration, initialisation

    expiration, of account

    expiration, password

    expire time, interpretation

    EXTENDED

  • Access Control Lists (ACLs)

    extended ACLE information

    extended ACLE type

    extended ACLE, prohibited from common ACL

    extended PAC (EPAC), data type

    Extended Privilege, Attribute Facility

    Extended Registry, Attribute Facility

    EXTENDED, optional in common ACL manager

    extending the naming model

    extension

    f

    F() (used in definition of MD4)

    F() (used in definition of MD5)

    facility

  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Glossary

    failed service request

    failure, in received response

    fan-folding

    feasibility, of key search attack

    federated naming

    field

    file group class ACLEs

    file, key table

    final

    final permutation

    fingerprint

    fingerprint,

    first

    first failure encountered

    flag, account's datastore information

    flag, administrative

    flag, authentication

    flag, authentication header

    flag, data type

    flag, KDS request (data type)

    flag, ticket (data type)

    flag, word, POSIX semantics

    flags

    foreign

    foreign ACLE type

    foreign authorisation, data type

    foreign group, in PAC

    foreign groups authorisation, data type

    foreign groupsets authorisation, data type

    foreign secondary group ID

    FOREIGN_GROUP

    FOREIGN_GROUP, algorithm

    FOREIGN_GROUP, limitation in common ACL

    FOREIGN_GROUP, supported by common ACL manager

    FOREIGN_GROUP_DEL, algorithm

    FOREIGN_GROUP_DELEG

    FOREIGN_OTHER

    FOREIGN_OTHER, algorithm

    FOREIGN_OTHER, limitation in common ACL

    FOREIGN_OTHER, supported by common ACL manager

    FOREIGN_OTHER_DEL

    FOREIGN_OTHER_DEL, algorithm

    FOREIGN_OTHER_DELEG

    FOREIGN_USER

    FOREIGN_USER, algorithm

    FOREIGN_USER, limitation in common ACL

    FOREIGN_USER, supported by common ACL manager

    FOREIGN_USER_DEL, algorithm

    FOREIGN_USER_DELEG

    formalisation of security theory

    format

    format, for displaying permission

    format, of PAC

    format, PAC (data type)

    formats

    formatting details,

    forward, combined with proxy

    forwardable, in AS response

    forwardable, in RS information

    forwardable, in TGS request

    forwardable, initialisation

    forwardable, KDS request flag

    forwardable, ticket flag

    FP

    frequency of changing password

    freshness, of authenticator

    frontmatter

    full BER

    full name

    fullname permission

    function

    fundamental

    further

    future work, solve multi-hop trust chain problem

    G() (used in definition of MD4)

    G() (used in definition of MD5)

    G-name

    gecos

    generalities

    generalities on security

    generation of ticket

    generation of weak keys

    generator, of CRC

    generic permissions

    genuine, received ticket

    geographic dispersion

    global

    Global Group Name

    Global Group Name, from Cell UUID and Group UUID

    global KDS cross-registration

    global PGO name

    Global Principal Name, from Cell UUID and Principal UUID

    global root

    global uniqueness

    glossary

    goal of security

    good password

    government, restriction on use of DES

    grace period

    granting access

    granting ticket

    granularity of time

    group

    group delegate

    group domain

    group permission

    group UUID,

    group, ACL manager permission

    group, ACL manager type

    group, ACL manager type UUID

    GROUP, algorithm

    group, identity (data type)

    group, in account item

    group, in PAC

    GROUP, limitation in common ACL

    group, primary vs. secondary

    group, separate namespace

    group, supported ACLE types

    GROUP, supported by common ACL manager

    group-ID

    group-name

    GROUP_DEL, algorithm

    GROUP_DELEG

    GROUP_OBJ

    GROUP_OBJ, algorithm

    GROUP_OBJ, at most one

    GROUP_OBJ, optional in common ACL manager

    GROUP_OBJ/GROUP/FOREIGN_GROUP

    GROUP_OBJ_DEL, algorithm

    GROUP_OBJ_DEL/GROUP_DEL/FOREIGN_GROUP_DEL

    GROUP_OBJ_DELEG

    groups

    guarantee, that SCD server is genuine

    guarantee, unique stringname

    guessing password

    H() (used in definition of MD4)

    H() (used in definition of MD5)

    hand-rolled pickle

    handle

    handle, binding, annotating

    Handle, for Privilege Attribute Data

    handle, protected, obtain

    handle, RPC binding

    handle_t

    hardware

    hardware, basis of key security

    hash

    hash,

    hash, CRC-32

    header

  • Privilege (Authorisation) Services

    header, authentication (data type)

    header, authentication, omitted

    header, authentication, processing

    header, client sends authentication

    header, of PDU

    header, of pickle

    header, privilege authentication (data type)

    header, privilege RA (data type)

    header, RA, client receives

    header, reverse authentication (data type)

    header, version number

    headers

    helpstring

    helpstring, and common ACL manager

    helpstring, common

    helpstrings

    hierarchy, of principals, groups and orgs

    hierarchy, organisational

    high-level ACL manipulation, not specified

    high-order bit, use of, in permission

    hint, in secidmap interface

    home

    home cell

    home cell,

    home directory

    honouring a ticket, time constraints on

    hop, in RS information

    host

    host address, communications, not security

    host address, data type

    host address, registered

    host principal name

    host-name, reserved account

    host-name, reserved name

    host-name, versus other machine name

    hot list, in RS information

    human understanding of security

    human-friendly stringname, in PGO item

    human-readable

    I() (used in definition of MD5)

    ID

    ID map facility

    ID map facility, bidirectional mapping

    identifier, definitive

    identifier, of RPC transfer syntax

    identifying

    identities

    identity

    identity, authorisation (data type)

    identity, authorisation, by PS

    identity, certainty of

    identity, data type

    identity, establishing

    identity, in AS response

    identity, in Kerberos protocol

    identity-based policy

    IDL, specifies pickles

    IDL/NDR

    idl_pkl_header_t,

    ignorance of algorithm

    illicit use of resources

    immediate

    impersonation

    implementation

    implementation requirement

    implementation variability

    implementation variability, in header processing

    implementation, not constrained by pseudocode

    import/export of DES

    in

    in_data

    in_data, CL

    indicator of position

    indirect trust

    indirect trust chain

    infallibility, relative

    infinite privilege

    information

    information, administration-level

    information, registry (RS)

    information, RS (data type)

    inheritance

    inheritance model

    inheritance of ACLs

    inheritance rules, and common ACL manager

    inheritance, of login context

    init process, login context

    init, use of sec_login API

    initial

    initial ACL,

    initial container ACL,

    initial key

    initial object ACL,

    initial permutation

    initial registration

    initial ticket, issuing

    initialisation vector, DES

    initialisation vector, of CRC

    initialise

    initialise permission

    initiator

    input

    Input/Output

    insecure

    insert permission

    instance

    instance, synonymous with server

    integer

    integer, mapping to bit-sequence

    integer, mapping to byte-sequence

    integer, mapping to mixed bit/byte-sequence

    integers

    integration

    integration with time services

    integrator

    integrity

    integrity,

    integrity, built-in

    integrity, CL

    integrity, CO

    integrity, protected by DES

    integrity, protected by DES-MD4/5

    intended

    intentional request, of cross-cell referral ticket

    inter-cell coordination

    interaction

    intercell

    intercell_action

    intercell_action, Algorithm

    interchangeability, of CADA steps

    interests of client

    interface

  • RS Editor RPC Interfaces
  • The rs_policy RPC Interface
  • Interface UUID and Version Number for rs_policy
  • The rs_pgo RPC Interface
  • Interface UUID and Version Number for rs_pgo
  • The rs_acct RPC Interface
  • Interface UUID and Version Number for rs_acct
  • The rs_misc RPC Interface
  • Interface UUID and Version Number for rs_misc
  • The rs_attr RPC Interface
  • Interface UUID for rs_attr
  • The rs_attr_schema RPC Interface
  • Interface UUID for rs_attr_schema
  • The rs_prop_acct RPC Interface
  • Interface UUID and Version Number for rs_prop_acct
  • The rs_prop_acl RPC Interface
  • Interface UUID and Version Number for rs_prop_acl
  • The rs_prop_attr RPC Interface
  • Interface UUID and Version Number for rs_prop_attr
  • The rs_prop_attr_schema RPC Interface
  • Interface UUID and Version Number for rs_prop_attr_schema
  • The rs_prop_pgo RPC Interface
  • Interface UUID and Version Number for rs_prop_pgo
  • The rs_prop_plcy RPC Interface
  • Interface UUID and Version Number for rs_prop_plcy
  • The rs_prop_replist RPC Interface
  • Interface UUID and Version Number for rs_prop_replist
  • The rs_pwd_mgmt RPC Interface
  • Interface UUID and Version Number for rs_pwd_mgmt
  • The rs_qry RPC Interface
  • Interface UUID and Version Number for rs_qry
  • The rs_repadm RPC Interface
  • Interface UUID and Version Number for rs_repadm
  • The rs_replist RPC Interface
  • Interface UUID and Version Number for rs_replist
  • The rs_repmgr RPC Interface
  • Interface UUID and Version Number for rs_repmgr
  • The rs_rpladmn RPC Interface
  • Interface UUID and Version Number for rs_rpladmn
  • The rs_unix RPC Interface
  • Interface UUID and Version Number for rs_unix
  • The rs_update RPC Interface
  • Interface UUID and Version Number for rs_update
  • ID Map Facility RPC Interface
  • The secidmap RPC Interface
  • Common Data Types and Constants for the secidmap Interface
  • Interface UUID and Version Number for the secidmap Interface
  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • The scd RPC Interface
  • Common Data Types and Constants for scd Interface
  • Interface UUID and Version Number for scd Interface
  • Part 3

    interface UUID, ACLs

    interface UUID, rs_acct

    interface UUID, rs_attr

    interface UUID, rs_attr_schema

    interface UUID, rs_bind

    interface UUID, rs_misc

    interface UUID, rs_pgo

    interface UUID, rs_policy

    interface UUID, rs_prop_acct

    interface UUID, rs_prop_acl

    interface UUID, rs_prop_attr

    interface UUID, rs_prop_attr_schema

    interface UUID, rs_prop_pgo

    interface UUID, rs_prop_plcy

    interface UUID, rs_prop_replist

    interface UUID, rs_pwd_mgmt

    interface UUID, rs_qry

    interface UUID, rs_repadm

    interface UUID, rs_replist

    interface UUID, rs_repmgr

    interface UUID, rs_rpladmn

    interface UUID, rs_unix

    interface UUID, rs_update

    interface UUID, scd

    interface UUID, secidmap

    interface, administrative

    interface, RPC

    Interface, rpriv

    Interface, sec_id_epac_base

    interfaces

    intermediary

    intermediate

    intermediate cell in trust chain

    Internet host name, versus host-name

    Internet, DNS name type

    Internet, registered address type

    interpret, ticket

    interval, data type

    introduction, replication and propagation

    introduction, security services

    intuitive model

    invalid, ticket flag

    inverse initial permutation

    invisible, password

    IP

    irreducible generator

    is

    ISO 8859-1

    ISO, registered address type

    issues

    issuing cell TCB

    issuing credential

    issuing initial ticket

    item

    item,

    item, policy

    items

    iteration

    junction, namespace

    KDC (RFC 1510)

    KDS

  • KDS Errors
  • AS Request/Response Processing
  • TGS Request/Response Processing
  • KDS Error Processing
  • Privilege (Authorisation) Services

    KDS request, data type

    KDS server, must be principal

    KDS,

    KDS, as registry client

    KDS, at least one per cell

    KDS, basis of name-based authorisation

    KDS, counterfeit

    KDS, error (data type)

    KDS, error message

    KDS, error processing

    KDS, invoked only indirectly

    KDS, knowledge of foreign servers

    KDS, password irrelevant to

    KDS, request body bgcolor="#FFFFFF" (data type)

    KDS, request flag (data type)

    KDS, response (data type)

    KDS, response, encrypted part

    KDS, server receives TGS request

    KDS, TGS request/response processing

    KDS, ticket obtained at login

    KDS, two services

    KDS, use of protected RPC

    kds_request(), overview

    kerberos

    Kerberos,

    Kerberos, and use of most recent key

    Kerberos, maximum ticket lifetime

    Kerberos, outline of protocol

    Kerberos, registered service

    Kerberos, unregisterable data

    kerckhoffs

    kerckhoffs´

    Kerckhoffs', doctrine

    key

  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Common Data Types and Constants for Key Management
  • Key Management API
  • Glossary

    key distribution service (KDS),

    key distribution service,

    key management facility,

    key management, no special RPC interfaces

    key schedule

    key type

    key version number, presence/absence of

    key,

    key, deletion of

    key, DES

    key, DES (data type)

    key, distributed by KDS

    key, distribution service

    key, encryption (data type)

    key, exactly one per account

    key, frequency of changes

    key, in AS response

    key, in Kerberos protocol

    key, in TGS response

    key, limit on duration of validity

    key, long-term

    key, long-term, retrieval

    key, long-term/short-term

    key, lookup, in PGO item

    key, management

    key, mapping to password, registered

    key, MD4 does not depend on

    key, MD5 does not depend on

    key, most recent

    key, possibly-weak

    key, query, type

    key, safe lifetime

    key, search attack

    key, semi-weak

    key, session

    key, session/conversation

    key, to be avoided

    key, true session

    key, type, in RS information

    key, version number

    key, weak

    key-based

    key_seq_num

    keying information

    keys

  • Key Distribution (Authentication) Services

    knowledge

    knowledge of foreign KDS servers

    knowledge,

    krb5rpc

    krb5rpc identity, element of cell-profile node

    krb5rpc, metadata explicit in

    krb5tgt, reserved account

    krb5tgt, reserved name

    krbtgt

    KS

    language, natural

    LAS+TGS,

    last

    last request, data type

    last request, in RS information

    last request, in TGS response

    last request, inspection

    last request, registered

    later, end of time timestamp

    later, in comparing timestamps

    laws

    laws, composition

    least privilege

    least-significant byte (LSB),

    left

    left shift, in DES

    left shift/rotate

    legal ACL

    length

    length, of pickle

    length, password

    lifetime timestamp

    lifetime, account

    lifetime, in AS request

    lifetime, in registry property

    lifetime, of key in DES

    lifetime, of ticket

    lifetime, password

    lifetime, renewable

    lifetime, ticket

    lifetime, ticket, in RS information

    link, in trust chain

    linking

    links of chains

    list

  • Access Control List API
  • Error Code Mapping List
  • Glossary

    list of UUIDs

    list, access control (ACL),

    list, of pointers to ACL

    lists

    literature, current

    little-endian,

    local

    local ACLE type

    local authorisation, vs. foreign

    local cell UUID,

    local group, in groupset

    local group, in PAC

    local ID

    local ID, account (data type)

    local ID, lookup by

    local key store, management of keys in

    local password, data type

    locate

    lock,

    locking, semantics not specified

    logical security,

    login

  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Login API
  • Glossary

    login context, non-interactive basis

    Login Denial

    Login Denial, Client Overview

    Login Denial, Overview

    Login Denial, Server Overview

    login facility,

    Login Functions, for delegation

    login name, equals account name

    login program,

    login request protocol

    login response protocol

    login shell

    login, availability of characters

    login_set

    long

    long PGO name

    long-term key

    long-term key, in RS information

    long-term key, one per account

    long-term key, retrieval

    longword,

    lookup by local ID

    lookup by UUID

    lookup key, data type

    lookup, result

    lost, information in PTGS request

    low-order bit, use of, in permission

    LS

    LSB,

    lt;dce/acct.h>

    lt;dce/aclbase.h>

    lt;dce/binding.h>

    lt;dce/keymgmt.h>

    lt;dce/misc.h>

    lt;dce/pgo.h>

    lt;dce/policy.h>

    lt;dce/rgynbase.h>

    lt;dce/sec_login.h>

    lt;dce/sec_rgy_attr.h>

    lt;dce/sec_rgy_attr_sch.h>

    lt;dce/secidmap.h>

    machine name, versus host-name

    machine principal name

    management

  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Common Data Types and Constants for Key Management
  • Key Management API
  • Glossary

    management information permission

    manager

  • RS Editor RPC Interfaces
  • Glossary

    manager, ACL,

    managers

  • ACL Managers

    managing keys

    mandatory policy

    manipulated old ticket

    map

    map, endpoint

    map, password to cryptographic key

    mapping

    mapping, password-to-key, registered

    mappings

    marshall, pickle

    mask ACLE type

    MASK_OBJ

    MASK_OBJ, and sec_acl_calc_mask()

    MASK_OBJ, at most one

    MASK_OBJ, optional in common ACL manager

    masking step in CADA

    masking step in DADA

    masquerade

    master

    master replica

    master/slave RS server

    matching

    matching step in CADA

    matching step in DADA

    mathematical probability

    matrix, access

    max_invalid_attempts

    maxClockSkew

    maximum

    maximum clock skew

    maximum clock skew, in RS information

    maximum ticket lifetime

    MD4

    MD4,

    MD4, no raw interface

    MD5

    MD5,

    MD5, no raw interface

    MD5, usage to ensure integrity

    mechanism

    mechanism,

    mechanisms

    mediation, of trust link across cells

    member of group,

    membership permission

    memorisation of password

    memory, inability to allocate

    message

  • Glossary

    Message Digest 5 (MD5),

    message digest, produced by MD4

    message digest, produced by MD5

    message identity code (MIC),

    message type, data type

    message type, in KDS Error message

    message,

    message, KDS Error

    message, notation

    messages

    metacharacter, escaping

    metacharacter, in cell name

    metacharacter, in transit path

    metadata

    metadata, pickle header

    metadata, tickets and authenticators

    metaticket,

    MIC,

    microsecond timestamp

    microsecond timestamp, alternative implementation

    microsecond, checked by KDS server

    microsecond, in KDS Error message

    microseconds

    minimum

    minimum implementation requirement

    minimum number of octets

    minimum_password_cycle_time

    mirrored RS server

    miscellaneous

    misuse of resources

    mix-in string

    mixed

    mixed bit/byte-sequence, mapping to integer

    mode

    mode, access

    model

    model of security,

    model, extend to multi-cell case

    model, extension of

    model, federated naming

    model, inheritance

    model, programming, RPC

    model, RPC binding

    model, shape, trusted

    models

    models, academic

    modes

    modification, date/time

    modular

    modular arithmetic

    monitor

    monitor, reference

    most recent key

    most-significant byte (MSB),

    MSB,

    multi-cell TCB

    Multi-Hop

    multi-hop trust chain

    multi-prong

    multi-prong attack

    multi-valued

    multiple

    multiple ACLs,

    multiple UUIDs

    mutual authentication

    mutual authentication, checked by KDS server

    mutual authentication, future work

    mutual authentication, in TGS request

    mutual authentication, of TGS service

    mutual required

    mutual trust

    n-tuple

    name permission

    name, data type

    name, full

    name, global PGO

    name, mapping by ID map facility

    name, of account

    name, of cell (data type

    name, principal (data type)

    name, reserved

    name, RS (data type)

    name-based

    name-based authorisation

    name-based group, not supported

    named client

    named client, in privilege ticket

    names

  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface

    namespace junction

    namespace, separate

    NAMETYPE

    naming

    naming domain

    naming domain, data type

    naming model, extension of

    naming services, integration with security

    naming syntax, CDS

    natural language

    NDR format label

    NDR, encoding/marshalling of pickles

    NDR, not used in pickle fields

    needed

    negation, boolean,

    negotiation, in RS information

    negotiation, of conversation key

    network

    network delay

    network identity information, mapped at login

    network login context

    network TCB,

    network, compromise

    new ticket

    newly issued ticket

    next hop, in RS information

    nibble, not used in this specification

    no-op

    no-op, protected

    node, RPC cell profile

    nominate client,

    nominated client

    non-alphabetic, required in password

    non-cryptographic checksum

    non-empty, header and body bgcolor="#FFFFFF" of pickle

    non-interactive subject, and key management facility

    Non-Intermediary

    non-invertible digest

    non-linearity of DES

    nonce, as challenge

    nonce, checking

    nonce, data type

    nonce, in AS request

    nonce, in TGS request

    nonce, in TGS response

    nonce, initialisation

    nonces

    none, reserved group name

    none, reserved organisation name

    normal form, bytes of DES key

    not,

    notation

    notation,

    notation, for CBC encryption/decryption

    notation, for decryption

    notation, for encryption

    notes

    number

    number, random (data type)

    number, sequence (data type)

    numbers

    numerical rotation

    numerical rotation,

    O-name

    object

    object ACL,

    object,

    object, control of access to

    object, group